search cancel

SEDR appliance MD5 and SHA256 Deny list differences

book

Article ID: 162851

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

When a File is added to a Deny list Policy in Symantec Endpoint Detection and Response (SEDR) appliance, it can be added with either its SHA256, MD5 file hash or both. The difference between these two options is explained below.

Resolution

File hash SHA256
If Symantec Endpoint Protection (SEP) is configured to use the appliance as the Private Cloud, SEP immediately quarantines Deny listed SHA256 executable files when it detects them on the endpoints. SEDR will return a "Bad" reputation response for the file in question, thus convicting it. The Endpoint's Download Insight Protection Technology acts accordingly:


Note: If the SEP client has cached an Insight response in the IronDB, it will not perform another query until the cache expires.

Starting with SEDR 4.6 and SEP/M 14.3 RU1: SEDR will add the SHA2 hashes on the Deny list to a SEPM Exception policy. This will allow the client to immediately recognize the file as blocked, instead of relying on Insight queries.

See also Expected behavior of Download Insight and How the Insight Lookup process works

File hash MD5
If SEDR is integrated with SEP, the MD5 hash value is added to the File fingerprint files list on Symantec Endpoint Protection Manager (SEPM) that corresponds with the name of the appliance. SEP's System Lockdown Feature will be automatically enabled in Blacklist Mode for all domains, and all groups within those domains, using the File fingerprint files list:


Note: The Blacklist Mode System Lockdown settings should not be changed to Whitelist Mode. While this action will not be prevented in SEPM, important applications on client computers will be blocked unintentionally, since Whitelist Mode will only allow applications on the list to be executed. In the below example the Operating System process svchost.exe is not on the Blacklist. Changing the mode to Whitelist blocks it from running.

 

If you add a new group to SEPM, the appliance File fingerprint files list is subsequently synchronized with that group as well. The File fingerprint files list does not affect other fingerprint files that you create in SEP.

Notes:

  • SEPM Client Groups that already had System Lockdown enabled in Whitelist Mode prior to the ATP integration will also not be affected.
  • The SEP System Lockdown feature will only block executable files matching the MD5 hashes entered in to the Blacklist. SEP will not block normal file types like .jpg or .xml.


See also: Interaction between system lockdown and Symantec EDR deny list (blacklist) rules which can be found in the SEP product technical documentation on the support portal.

Attachments